Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Exploit. Show all posts

Researchers Uncover Numerous Chinese Hacker Collectives Exploiting Ivanti Security Vulnerabilities

 

Several threat actors with connections to China have been identified as responsible for exploiting three security vulnerabilities affecting Ivanti appliances. These vulnerabilities are identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

Mandiant, a cybersecurity firm, has been monitoring these clusters of threat actors, identifying them under the names UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Among them, UNC3886, a Chinese hacking group, has been previously known for exploiting zero-day bugs in Fortinet and VMware systems to infiltrate networks.

Financially motivated actors have also been observed exploiting CVE-2023-46805 and CVE-2024-21887, likely for cryptocurrency mining purposes.

UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments," Mandiant researchers said

Post-exploitation activities by these threat actors often involve deploying malicious tools such as the Sliver command-and-control framework, WARPWIRE credential stealer variant, and a new backdoor named TERRIBLETEA, which comes with various functionalities like command execution and keylogging.

UNC5330 has been combining CVE-2024-21893 and CVE-2024-21887 to target Ivanti Connect Secure VPN appliances, leveraging custom malware like TONERJAM and PHANTOMNET for further actions. These include reconnaissance, lateral movement, and compromising LDAP bind accounts for higher privileges.

UNC5337, another China-linked group, has been using CVE-2023-46805 and CVE-2024-218 to infiltrate Ivanti devices since January 2024, deploying a custom malware toolset known as SPAWN. This toolset includes components like SPAWNSNAIL, SPAWNMOLE, SPAWNANT, and SPAWNSLOTH, designed for stealthy and persistent backdoor access.

Mandiant assesses with medium confidence that UNC5337 and UNC5221 might be the same group, highlighting the sophistication of their tools aimed at avoiding detection.

UNC5221 has also been associated with various web shells and a Perl-based web shell called ROOTROT, which is embedded into legitimate files to evade detection. Successful deployment of these shells leads to network reconnaissance and lateral movement, potentially compromising vCenter servers with a Golang backdoor named BRICKSTORM.

Finally, UNC5291, likely associated with another group called UNC3236, has been targeting academic, energy, defense, and health sectors, focusing on Citrix Netscaler ADC initially before shifting to Ivanti Connect Secure devices.

These findings emphasize the ongoing threat posed by edge appliances, with threat actors utilizing a combination of zero-day vulnerabilities, open-source tools, and custom backdoors to evade detection and maintain access to networks for extended periods. access to target systems.

GitHub: Repositories Selling Fake Microsoft Exchange Exploits

 

Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

A 15-Year-Old Bug Affected Over 350,000 Open-Source Projects

 

Trellix, an advanced research centre rediscovered a 15-year-old vulnerability in Python programming language that is still being exploited and has affected over 350,000 projects. 

The threat researchers at Trellix considered claimed to have found a zero-day vulnerability, it is a 15-year-old security flaw in the Python module, that has remained unpatched, and is now exposing around 350,000 open as well as closed source projects to the risk of supply chain cyberattacks. 

The Trellix estimate indicates that many of the affected repositories are used by machine learning tools that help developers to complete the project as soon as possible. 

In of one of the articles, Kasimir Schulz mentioned that the vulnerability was a form of routed traversal attack in the “extract and extractall functions of the tarfile module,” which is contained within the TAR file module itself. These open-source projects cover a wide range of areas including web development, media, IT management, software development, artificial intelligence, machine learning, and security. 

The vulnerability, tracked as “CVE-2007-4559”, permits the threat actor linked with a user, to execute the code and overlap the arbitrary files by using filenames with dedicated sequenced filenames in the TAR archive. This allows the attacker to acquire control of the targeted device. 

It is similar to the vulnerability named, CVE-2022-30333, which was recently found in RARIab’s UnRAR, which also allows the attacker to execute the code remotely. 

The CVE-2007-4559 was first discovered in 2007 when it was declared as a vulnerability of low importance by Red Hat, one of the world’s leading solution providers of enterprise open-source software. 

The bug can be leveraged on Linux as well. It includes the specially crafted TAR archive used to overwrite or overlap the existing arbitrary files on the targeted device by just opening the file. It is through this simple overlap that the attacker is able to inject the malicious tarfile in a way that allows him to execute the code by intending that the file be extracted after crossing the directory boundary. 

Reportedly, the patches have been introduced by Trellix for the aforesaid vulnerability. Initially, they are made available for about 11000 projects, but within the next week, they will be available for about 7000 projects.

Major Vulnerabilities Found in Wireless LAN Devices in Airlines

The two major vulnerabilities were found in the series of the flexlan, a LAN device providing internet services in airlines. The Necrum security labs’ researchers Samy Younsi and Thomas Knudsen, initiated the research which led to tracking two critical vulnerabilities which were identified as CVE-2022-36158 and CVE-2022-36159. 

The vulnerabilities were detected in the Flexlan series named FXA3000 and FXA2000 and have been associated with a Japan-based firm known as Contec. 
 
The researchers said while considering the first vulnerability, that during the execution of reverse engineering on firmware, we found a hidden web page, which was not entailed in the list of wireless LAN manager interfaces. They also added that it simplifies the enforcement of the Linux command over the device with root privileges. The researchers mentioned that the first vulnerability gave access to all the system files along with the telnet port which allows to access the whole device.   
 
Regarding the second vulnerability, the researchers said, it makes use of hard-coded, weak cryptographic keys and backdoor accounts. While carrying out the research, the researchers were also able to recover and get access to a shadow file within a few minutes with the help of a brute-force attack. The file contained the hash of two users including root and users. 
 
The researchers explained the issue that the device owner is only able to change the password from the interface of the web admin as the root account is reserved for maintenance purposes by Contec. This allows the attacker with a root hard-coded password able to access all Flexlan FXA2000 and FXA3000 series effortlessly. 
 
With respect to the solutions, researchers emphasized the importance of mentioned to maintaining cyber security, with regard to the first Vulnerability. They said, “the hidden engineering web pages should be removed from all unfortified devices. As weak passwords make access easier for cyber attackers.” For the second vulnerability, the advisory commented, “the company should create new strong passwords, for every single device with the manufacturing process."

Spyware Group ‘Knotweed’ Employs Windows and Adobe Bugs to Target Firms Worldwide

 

Microsoft has unearthed an Austrian “cyber mercenary” group employing Windows and Adobe exploits to target organizations with spyware since at least 2021. 

Security analysts at Microsoft’s Threat Intelligence Center and Security Response Center said the organization is a private-sector offensive actor (PSOA) called Decision Supporting Information Research Forensic (DSIRF), but dubbed by Microsoft with the codename Knotweed. 

A cyber-weapons broker has launched multiple attacks on law firms, banks, and strategic consultancies in countries across the globe via spyware — dubbed Subzero — that allows its users to remotely and silently infiltrate a victim’s computer, phone, network infrastructure, and internet-linked devices.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure, and internet-connected devices," Microsoft said in a blog post. 

DSIRF promotes Subzero as a “next generation cyber warfare” tool that can secure full control of a victim’s PC, steal passwords and disclose its real-time location, according to a copy of an internal presentation released by Netzpolitik, a German news website, in 2021. 

The report claims that DSIRF, which reportedly has links to the Russian state, promoted its tool for use during the 2016 U.S. presidential election. The German government was also considering the purchase and use of Subzero to enhance its cyber defense. 

Microsoft said it has issued a software update to mitigate the use of the identified vulnerabilities. The tech giant has also released signatures of the malware to shield Windows users from exploits Knotweed was employing to help deliver its malware. 

More action is needed on a broader level, given that DSIRF will not be the last PSOA to target organizations, as Microsoft researchers explained in a brief sent to Congress on Wednesday. 

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," researchers explained. "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

China-linked APT Went Under Radar for Decade

 

Researchers have discovered a small but effective China-linked APT that has been operating in Southeast Asia and Australia for more than a decade, running campaigns against government, education, and telecommunications institutions. 

SentinelLabs researchers stated that the APT, dubbed Aoqin Dragon, has been active since at least 2013. According to the report, the APT is "a small Chinese-speaking team with potential association to [an APT called] UNC94." According to researchers, one of Aoqin Dragon's methods and approaches is to use pornographic-themed infected documents as bait to attract victims to download them. 

“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote. The fact that Aoqin Dragon has developed, allowed them to stay under the radar for so long. For example, the APT's technique of infecting target computers has progressed. Aoqin Dragon depended on exploiting old vulnerabilities – especially, CVE-2012-0158 and CVE-2010-3333 – that their targets may not have yet fixed in their early years of operation. 

Aoqin Dragon later developed executable files with desktop icons that resembled Windows folders or antivirus software. These programmes were malicious droppers that planted backdoors and then connected to the attackers' command-and-control (C2) servers. Since 2018, the group has used a fraudulent detachable device as an infection vector. 

When a user clicks to view what appears to be a removable device folder, they really start a chain reaction that downloads a backdoor and establishes a C2 connection on their PC. Furthermore, the malware replicates itself to any genuine removable devices attached to the host system in order to move beyond the host and, presumably, onto the target's larger network. Other methods have been used by the group to remain undetected. 

They've exploited DNS tunnelling to get around firewalls by altering the internet's domain name system. Mongall, a backdoor exploit, encrypts communication data between the host and the C2 server. According to the experts, the APT gradually began to use the fake removable disc approach over time. This was done to "improve the malware's resistance to detection and removal by security tools." 

National-State Ties 

Targets have tended to fall into a few categories: government, education, and telecommunications, all in and around Southeast Asia. Researchers assert that “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.” 

A debug log discovered by researchers that contain simplified Chinese characters provides more proof of Chinese influence. Most importantly, the researchers uncovered an overlapping attack on the website of Myanmar's president in 2014. In another case, investigators were able to track the hackers' command-and-control and mail servers all the way back to Beijing. 

With that circumstance, Aoqin Dragon's two primary backdoors have overlapping C2 infrastructure, and the majority of the C2 servers may be ascribed to Chinese-speaking users. Still, "correctly identifying and monitoring State and State-Sponsored threat actors can be challenging," said Mike Parkin, senior technical engineer at Vulcan Cyber. 

“SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure when you’re identifying a new threat actor.”

Researcher Detects 70 Web Cache Poisoning Vulnerabilities, Gets $40k in bug bounty rewards

 

Despite the fact that it is a well-known and well-documented vulnerability, 'web cache poisoning' continues to be a concern on the internet. 

Security researcher Iustin Ladunca (Youstin) recently uncovered 70 cache poisoning vulnerabilities with varying implications after conducting a thorough investigation on different websites, including some high-traffic online services. 

The intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers, are the targets of web cache poisoning attacks. These intermediates aid website speed by keeping local versions of online content and delivering them to web clients faster. Cache poisoning attacks change the way cache servers behave and respond to certain URL requests from clients. 

Ladunca told The Daily Swigg, “I started researching web cache poisoning back in November 2020, shortly after reading James Kettle’s extensive research on the topic. Only a few weeks in, I discovered two novel cache poisoning vulnerabilities, which made me realize just how wide the attack surface for cache poisoning is.” 

Ladunca outlined how he identified and disclosed the web cache vulnerabilities, which included severs such as Apache Traffic Server, GitHub, GitLab, HackerOne, and Cloudflare, among others, in a blog post. 

“A common pattern was caching servers configured to only cache static files, meaning attacks were limited to static files only,” Ladunca stated.

“Even so, there still was a significant impact, since modern websites rely heavily on JS [JavaScript] and CSS {cascading style sheets] and taking those files down would really affect application availability.” 

Denial of service (DoS) attacks were launched as a result of several web cache vulnerabilities. Some headers are used as keys by cache servers to store and retrieve URL requests. Ladunca was able to compel servers to cache error responses and deliver them instead of the original content by utilising faulty values in unkeyed headers, making the target URLs unreachable to clients. 

“In terms of techniques used, by far the most common one was CP-DoS through unkeyed headers, which probably accounted for 80% of [the] total findings,” Ladunca said. 

Cross-site scripting (XSS) attacks could be exploited by other web cache poisoning flaws. One vulnerability, for example, may cause the cache server to forward JavaScript file requests to an attacker-controlled IP. Ladunca was also able to reroute a cache request from one host to another that was vulnerable to DOM-based XSS attacks in another case. 

For the 70 web cache vulnerabilities he uncovered, Ladunca received a bug bounty of roughly $40,000. He did, however, learn some valuable lessons about safeguarding web cache servers. 

“I would say a good way to secure CDNs from cache poisoning attacks would be disabling caching for error status codes, a mitigation which should stop a large part of CP-DoS attacks,” he said. 

The researcher also suggested utilizing PortSwigger's Param Miner, an open-source tool for locating hidden, unrelated parameters. Param Miner can help detect unkeyed headers that can be used for web cache poisoning by running it against web apps.